CN112889255A - Extending public WIFI hotspots to private enterprise networks - Google Patents
Extending public WIFI hotspots to private enterprise networks Download PDFInfo
- Publication number
- CN112889255A CN112889255A CN201980069933.7A CN201980069933A CN112889255A CN 112889255 A CN112889255 A CN 112889255A CN 201980069933 A CN201980069933 A CN 201980069933A CN 112889255 A CN112889255 A CN 112889255A
- Authority
- CN
- China
- Prior art keywords
- enterprise
- access point
- service provider
- internet service
- data packets
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/029—Firewall traversal, e.g. tunnelling or, creating pinholes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
- H04L61/5014—Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/10—Architectures or entities
- H04L65/102—Gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/088—Access security using filters or firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/164—Adaptation or special uses of UDP protocol
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
Abstract
A system, method and computer program extends a public Wi-Fi hotspot of an internet service provider network to a private enterprise network system to transport non-enterprise traffic between the internet service provider network and a non-enterprise computing device. The system, method and computer program provide one or more tunnels between an access point in a private enterprise network system and an internet service provider network. A tunnel may be formed between one or more internet service provider mobile controllers and a DMZ (quarantine zone) in a private enterprise network system via a firewall to facilitate secure communications between non-enterprise communication devices and the internet service provider network.
Description
Cross Reference to Related Applications
This application claims priority and benefit from U.S. patent application serial No. 16/166,768 entitled "EXTENDING PUBLIC WIFI HOTSPOTs TO a private enterprise NETWORK (extanding PUBLIC WIFI HOTSPOT TO PRIVATE ENTERPRISE NETWORK)" filed on 22/10/2018, the entire contents of which are incorporated herein by reference.
Technical Field
The present disclosure relates to a system, method and computer program for securely extending and broadcasting any public Wi-Fi hotspot to a private enterprise network.
Background
Computing devices typically communicate over wireless or hardwired (hardwired) communication links. A hotspot is a physical location where one or more computing devices may gain access to the internet, typically using wireless technology connected to an internet server provider network communication system (ISP). Hotspots often include Wireless Access Points (WAPs) that facilitate internet access via Wireless Local Area Networks (WLANs).
WAP is often used to facilitate wireless to hardwired communication links. A WAP may include, for example, one or more Wi-Fi devices connected to a hardwired network. A WAP may include one or more routers connected to a hardwired network. The router(s) may be stand-alone devices or devices integrated in the WAP. WAP may be used as a hotspot where one or more computing devices may access the internet.
Fig. 1 shows an example of a prior art ISP 10. The ISP 10 typically uses the OSI model when communicating over the network 15. ISP 10 includes a WA P13 having a wireless connection 14, such as, for example, an antenna, wireless connection 14 being communicable with a wireless connection 12, such as an antenna, on portable communication device 11A via communication link 8. The communication device 11A includes a computing device. The WAPs 13 are communicatively coupled to ISP servers 16 via communication links 8 and networks 15. Network communication system 10 may include a plurality of WAPs 13, which may be widely distributed in a geographic area and configured to facilitate communication with one or more communication devices 11A. WAP 13 facilitates communications between communication device 11A and IS P10 to provide internet services to communication device 11A. Communication device 11A may be configured to automatically log onto ISP server 16 and access the internet via ISP 10.
Fig. 2 shows an example of a prior art private enterprise network communication system 20. The enterprise network communication system 20 includes a server suite (or server) 21, which may include a mail server 21A, web, a server 21B, and a file server 21C. The enterprise network communication system 20 includes ethernet switches 22A, 22B, a plurality of computing devices 23, and a router 24. The ethernet switches 22A, 22B may be connected to the server suite 21 and the computing device 23 via the communication link 8. The router 24 may be connected to the ethernet switches 22A, 22B via a communication link 8. The router 24 may be connected to the firewall 25 or integrally formed with the firewall 25 to connect to the network 15 via the communication link 8. In the enterprise network communication system 20, the computing device 23 may communicate with the communication device 11. The communication device 11 may be configured to automatically log on and access the enterprise network communication system 20. The enterprise network communication system 20 may securely transfer data packets between the communication device 11 and a computing device on the enterprise network communication system 20, such as, for example, the computing device 23.
In general, operators of ISP network communication systems strive to increase and expand their network access to communication devices. On the other hand, operators of enterprise network communication systems strive to restrict non-enterprise communication devices from accessing their networks. The inventors have recognized that operators of ISP network communication systems and enterprise network communication systems, end users with communication devices, and the general public can greatly benefit from techniques to securely extend and broadcast public Wi-Fi hotspots to non-public enterprise network communication systems.
Disclosure of Invention
The present disclosure provides a novel technique, including a method, system, and computer program for securely extending access to an ISP network communication system via an enterprise network communication system. The present disclosure provides a method and system that can securely extend and broadcast Wi-Fi hotspots to enterprise network communication systems. The method and system enable a non-enterprise computing device to access a wireless network (internet) service and/or an ISP network communication system via an enterprise network communication system without affecting the security of the enterprise network communication system. The method and system are configured to reduce internal network bandwidth by routing or offloading data transmissions to an ISP network communication system.
Accordingly, the present disclosure provides a system, method and computer program for extending a public Wi-Fi hotspot of an internet service provider network to a non-enterprise communication device. The enterprise network system comprises a local area network comprising a firewall; an access point area broadcasting a service set identifier (PEC SSID) of the enterprise network system and a service set identifier (ISP SSID) of the Internet service provider network, and a mobile controller area tunneling data packets between the access point area and the Internet service provider network to securely transmit data packets between the Internet service provider network and the non-enterprise computing device, wherein the mobile controller area tunnels data packets from the access point area to provide secure transmission of data packets to and from enterprise computing devices. The mobile controller area may tunnel data packets through the firewall to the internet service provider network.
The access point area may include access points that broadcast a service set identifier (PEC SSID) of the enterprise network system and communicate with the enterprise communication devices, transmit data packets to and from the enterprise communication devices.
An access point area may include an access point that broadcasts the service set identifier (ISP SSID) of the internet service provider network and communicates with the non-enterprise communication devices, transmitting data packets to and from the non-enterprise communication devices.
The access point area may include: a first access point broadcasting the service set identifier (PEC SSID) of the enterprise network system and communicating with the enterprise communication device, transmitting data packets to and from the enterprise communication device; and a second access point broadcasting the service set identifier (ISP SSID) of the Internet service provider network and communicating with the non-enterprise communication device, transmitting data packets to and from the non-enterprise communication device.
The mobile controller area may include a mobile controller located in the internet service provider network and integrated in the mobile controller area. The motion controller area may include another motion controller. The other mobile controller may tunnel the data packets to another internet service provider network. The further mobile controller may be located in the further internet service provider network.
The access point region may include: a third access point broadcasting and communicating with another non-enterprise communication device a service set identifier (ISP2SSID) for another Internet service provider network, transmitting data packets to and from the other non-enterprise communication device, wherein the service set identifier (ISP SSID) for the Internet service provider network is different from the service set identifier (ISP2SSID) for the other Internet service provider network.
The mobile controller area may tunnel data packets to provide secure transfer of data packets between the enterprise computing device and the local area network.
A method for extending a public Wi-Fi hotspot of an internet service provider network to an enterprise network system and securely transmitting data packets between a non-enterprise communication device and the internet service provider via a quarantine zone (thinned zone) in the enterprise network system, the method comprising: broadcasting a service set identifier (PEC SSID) of the enterprise network system; broadcasting a service set identifier (ISP SSID) of the Internet service provider network; tunneling data packets between an access point area in the enterprise network system and a mobile controller in the internet service provider network to securely transmit data packets between the internet service provider network and a non-enterprise computing device; and tunneling data packets between the access point area and a mobile controller in the enterprise network system to securely transmit data packets between a local area network in the enterprise network system and an enterprise computing device.
Tunneling the data packet between the access point region in the enterprise network system and the mobile controller in the internet service provider network may include: tunneling the data packet through a firewall in a local area network in the enterprise network system to the internet service provider network.
The access point region may include an access point broadcasting the service set identifier (PEC SSID) of the enterprise network system, and the method may further include: transmitting, by the access point and another mobile controller, data packets between the local area network and the enterprise communication device.
The access point region may include access points broadcasting service set identifiers (ISP SSIDs) of internet service provider networks, and the method may further include: transmitting, by the access point, data packets between the non-enterprise computing device and the mobile controller in the internet service provider network.
The access point area may include a first access point broadcasting the service set identifier (PEC SSID) of the enterprise network system and a second access point broadcasting the service set identifier (ISP SSID) of the internet service provider network, and the method may further include: transmitting, by the first access point and the mobile controller in the enterprise network system, data packets between the local area network and the enterprise communication device; and transmitting, by the access point, data packets between the non-enterprise computing device and the mobile controller in the internet service provider network.
The method may further comprise: receiving an authentication request from the non-enterprise communication device at the access point area; and tunneling the authentication request from the access point region to the mobile controller in the internet service provider network.
The method may further comprise: forwarding the authentication request from the mobile controller to an AAA server in the Internet service provider network; and receiving an authentication reply from the AAA server at the mobile controller in the internet service provider network.
The method may further comprise: tunneling the authentication reply from the mobile controller to the access point area for forwarding to the non-enterprise communication device.
A non-transitory computer readable medium having a plurality of code segments of a computer program that, when executed by a computing device, extends a public Wi-Fi hotspot of an internet service provider network to an enterprise network system and securely transfers data packets between a non-enterprise communication device and the internet service provider via a quarantine area in the enterprise network system is provided. The computer readable medium includes: a PEC SSID broadcast code segment that, when executed by the computing device, controls an access point to broadcast a service set identifier (PEC SSID) of the enterprise network system; an ISP SSID broadcast code segment that, when executed by the computing device, controls another access point to broadcast a service set identifier (ISP SSID) of the Internet service provider network; an ISP tunneling code segment that, when executed by the computing device, creates a secure channel and tunnels data packets between the other access point and a mobile controller in the Internet service provider network to securely transmit data packets between the Internet service provider network and a non-enterprise computing device; and a PEC tunneling code segment that, when executed by the computing device, creates a secure channel and tunnels data packets between the access point and a mobile controller in the enterprise network system to securely transfer data packets between a local area network in the enterprise network system and an enterprise computing device.
Additional features, advantages, and embodiments of the disclosure may be set forth or apparent from consideration of the detailed description and accompanying drawings. Furthermore, it should be understood that the foregoing summary of the disclosure, as well as the following detailed description and drawings, provide non-limiting examples which are intended to provide further explanation without limiting the scope of the disclosure as claimed.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure, are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the detailed description serve to explain the principles of the disclosure. No attempt is made to show structural details of the disclosure in more detail than is necessary for a fundamental understanding of the disclosure and the various ways in which it may be practiced.
Fig. 1 depicts a prior art ISP.
Fig. 2 depicts a prior art enterprise network communication system.
Fig. 3 depicts a representation of the Open Systems Interconnection (OSI) model for computer communication systems.
FIG. 4 illustrates an example of a private enterprise network communications (PEC) system constructed in accordance with the principles of the present disclosure.
FIG. 5 shows an example of an ISP that may be communicatively connected to a PEC system with one or more additional ISPs.
FIG. 6 shows an example of a communication process for connecting non-PEC communication devices to an ISP through a PEC system.
FIG. 7 shows an example of a connection flow between a communication device and a Local Area Network (LAN) in a PEC system.
Fig. 8 shows an example of a connection flow between a non-PEC communication device and a Local Area Network (LAN) in an ISP.
The present disclosure is further described in the following detailed description.
Detailed Description
The present disclosure and the various features and advantageous details thereof are explained more fully with reference to the non-limiting embodiments and examples that are described and/or illustrated in the accompanying drawings and detailed in the following description. It should be noted that the features illustrated in the drawings are not necessarily drawn to scale and features of one embodiment may be employed with other embodiments as will be appreciated by those skilled in the art even if not explicitly stated herein. Descriptions of well-known components and processing techniques may be omitted so as to not unnecessarily obscure the embodiments of the disclosure. The examples used herein are intended merely to facilitate an understanding of ways in which the disclosure may be practiced and to further enable those of skill in the art to practice the embodiments of the disclosure. Accordingly, the examples and embodiments herein should not be construed as limiting the scope of the disclosure. Moreover, it should be noted that like reference numerals represent similar parts throughout the several views of the drawings.
Referring to fig. 1 and 2, existing network systems are increasingly stressed due to the ever-increasing data rate and bandwidth requirements of mobile communication devices. Cisco visual network index according to 2016-: forecast and method, enterprise IP traffic is expected to have an overall annual growth rate of about 21% between 2016 and 2021, reaching 45,452 beats per month (Petabytes) of data, which for average commercial users is equivalent to about 4 gigabytes of data per month. With even greater demand anticipated in implementing the 5G standard, the inventors have recognized the desirability of offloading traffic from mobile communication devices to public and private Wi-Fi networks in a secure manner that does not pose any security risk to non-public enterprise network communication systems. The inventors have recognized that there is an unfulfilled need for a technical solution that facilitates increased and expanded access to ISPs by communication devices by securely extending and broadcasting Wi-Fi hotspots to non-public enterprise network communication systems without introducing any security risks to the non-public enterprise network communication systems.
The inventors have conceived and created a technical solution that provides a system, method and computer program that securely extends a public Wi-Fi hotspot from an ISP to a non-public enterprise network communication (PEC) system, particularly through one or more mobile controllers and Access Points (APs). The PEC system can create and support one or more primary tunnels (tunnels) in the PEC system to handle traffic between the PEC communication devices and the PEC system and one or more secondary tunnels in the PEC system to handle traffic between one or more ISPs and associated non-PEC communication devices through the PEC system infrastructure without posing any security risk to the PEC system. A secondary tunnel may be formed between one or more ISP mobile controllers and a DMZ (thinned zone) in the PEC system via a firewall to facilitate secure communication between non-PEC communication devices and ISPs, e.g., through the DMZ in the PEC system. The technical solution may enable and facilitate substantial extension of public and/or ISP Wi-Fi access via non-public enterprise network communication systems, including, for example, private Local Area Networks (LANs).
According to a non-limiting embodiment, one or more APs can be provided on the PEC system and configured to broadcast a Service Set Identifier (SSID) of the ISP, connect the non-PEC communication devices to the (e.g., public) ISP network via the APs, and facilitate tunneling communications between the non-PEC communication devices and the ISP's network via the APs and the PEC system.
When communicating internally and over a network system, the PEC system can include the Open Systems Interconnection (OSI) model. The PEC system, including the computing devices connected to the PEC system, can operate at any one or more of the seven layers in the OSI model (shown in fig. 3) at any time. That is, referring to fig. 3, which illustrates a seven-layer OSI model, the PEC system can operate at the application layer 1, presentation layer 2, session layer 3, transport layer 4, network layer 5, link layer 6, and/or physical layer 7.
Referring to fig. 3, application layer 1 is the OSI layer in the computing device closest to the end user. The application layer 1 interacts with software applications in the computing device implementing the communication components. The application layer 1 may include, for example, a search engine or any other software application with which an end user may interact to perform functions.
The presentation layer 2 establishes context between software applications, which may use different syntax and semantics. The presentation layer 2 converts the data into a form that is acceptable to each software application. The operating system is an example of a presentation layer 2.
Session layer 3 controls the connections between computing devices in the communication system. This layer is responsible for establishing, managing and terminating connections between local and remote applications. This layer may provide full duplex, half duplex, or simplex operation and is responsible for checkpointing, deferring, terminating, and restarting processes.
Transport layer 4 provides the functionality and process mechanisms for transferring variable length data sequences from a source computing device to a destination computing device while maintaining quality of service (QoS). The transport layer 4 controls the reliability of a given link through flow control, segmentation and de-segmentation, and error control. The transport layer 4 may include, for example, tunneling protocol, Transmission Control Protocol (TCP), and User Datagram Protocol (UDP).
The network layer 5 provides the functionality and process mechanisms for transferring data packets from a node on a network to another node on a different network. If the data to be sent is too large, the network layer 5 may facilitate dividing the data into segments at a node and sending the segments independently to another node, where the segments may be reassembled to recreate the transmitted data. The network layer 5 may include one or more layer management protocols such as, for example, routing protocols, multicast group management, network layer information and errors, and network layer address assignment.
The link layer 6 is responsible for node-to-node transfers between computing devices in the communication system. In an IEEE802 implementation, the link layer 6 is divided into two sub-layers, including a Medium Access Control (MAC) layer and a Logical Link Control (LLC) layer. The MAC layer is responsible for controlling how devices in the network gain access to the medium and permission to transmit data. The LLC layer is responsible for identifying and encapsulating network layer protocols and for controlling error checking and frame synchronization.
The physical layer 7 includes hardware to connect computing systems. The hardware may include, for example, connectors, cables, switches, etc., that provide for the transmission and reception of instruction and data streams between computing devices.
When communicating in a PEC system or over one or more networks (e.g., the internet), the communication devices can be identified by an identifier, such as, for example, an Internet Protocol (IP) address. IP addresses typically include 32-bit numbers (e.g., IPv4) or 128-bit numbers (IPv 6). The IP address may provide two main functions. First, the IP address may identify a communication device or network interface. Second, the IP address may identify the location of the communication device on the network.
The IP address is typically assigned to the communication device at startup (referred to as a "dynamic IP address") or permanently assigned to the communication device through a fixed configuration of hardware and/or software in the communication device (referred to as a "static IP address"). Dynamic IP addresses are typically reassigned by a Dynamic Host Configuration Protocol (DHCP) server each time a computing device connects to the DHCP server network.
On the other hand, a static IP address is permanently assigned to a communication device (such as, for example, a network printer, a server, a VPN server, etc.) and may be used to identify the communication device on the network. Static IP addresses are typically used for business applications, as compared to dynamic IP addresses, which are more commonly used for residential applications.
FIG. 4 illustrates an example of a PEC system 100 constructed according to the principles of the present disclosure. The PEC system 100 can include a non-public enterprise network communication system 20, as shown in fig. 2. The PEC system 100 includes a plurality of computing devices 110, 180, each of which can be communicatively coupled to one or more communication links 8. The PEC system 100 includes a mobile host (MM)110, a standby mobile host (SMM)120, a gateway server 130, one or more Mobile Controllers (MCs) 145, one or more APs 155, an access server 160, a DHCP server 170, and a Network Manager (NM) server 180. Each MC145 can operate as a termination point in the PEC system 100. One or more MCs 145 may be included as a mobile controller area. The mobile controller area plan may be configured to integrate one or more MC 245 (as shown in fig. 5) from one or more ISPs 200. The mobile controller area may include a primary MC area 140, the primary MC area 140 including a plurality of MCs 145. The main MZ zone 140 may comprise a firewall and a DMZ. One or more APs 155 may be included as an AP area 150 including a plurality of APs 155. The AP area 150 may broadcast one or more Radio Frequency (RF) signals that include a ssid (PEC ssid) unique to the PEC system 100 or its operator. AP area 150 may broadcast one or more RF signals that include an ssid (ISP ssid) unique to ISP200 (shown in fig. 5). The RF signal may include multiple ISP SSIDs, each of which may be unique to a separate ISP200 (as shown in fig. 5). The ISP SSID is different from the PEC SSID.
The broadcast RF signal(s) may be received by one or more communication devices 11. The communication device 11 can be configured to recognize the PEC SSID and communicate with a computing device in the PEC system 100, which can be located behind a firewall. The communication device 11A can be configured to recognize the PEC SSID and log into the PEC system 100 and communicate with the PEC system 100. The non-PEC communication device 11A may be configured to recognize the ISP SSID and communicate with the ISP 200. For example, the non-PEC communication device 11A can be configured to automatically (or manually) connect and access resources on the ISP 200. The communication device 11 and the non-PEC communication device 11A may operate at any level in the OSI model. The communication device 11 and the non-PEC communication device 11A may be the same or different in hardware, firmware, or software.
The MM110 may include one or more primary routers (not shown), and the SMM 120 may include a redundant backup for the MM 110. The MM110 may act as a serving gateway. The MM110 can serve as a configuration point in the PEC system 100. The MM110 and SMM 120 may include one or more routers running a Virtual Router Redundancy Protocol (VRRP) or a Hot Standby Router Protocol (HSRP). The MM110 can act as a default router for the communication devices 11 and computing devices on the shared LAN in the PEC system 100. The MM110 may include one or more Virtual Router Identifiers (VRIs) and one or more sets of associated IP addresses across a public LAN. The MM110 may be responsible for forwarding data packets sent to IP addresses associated with the virtual router and responding to Address Resolution Protocol (ARP) requests for these addresses. The MM110 may provide automatic allocation of available IP routers to participating communication devices 11 over the active communication link, thereby increasing the availability and reliability of routing paths. If the physical router that routes the packet on behalf of the virtual router fails for any reason, the MM110 may automatically select another router to replace it. By sharing the IP address and MAC (OSI layer 6 shown in fig. 3) address, two or more routers can act as a single virtual router.
The MM110 may perform protocol messaging using IP multicast datagrams and may operate on a variety of multiple access LAN technologies that may support IP multicast delivery. Each virtual router may include a unique MAC address (e.g., OSI layer 6 shown in fig. 3). Each virtual router may be identified by a Virtual Router Identifier (VRID) and a set of IP addresses. The MM110 may associate the virtual router with its real address on the interface. The MM110 may include a virtual router mapping and priorities of the virtual routers to be backed up. The mapping between VRID and address can be coordinated between all VRRP routers on the LAN.
The MM110 and SMM 120 may connect to a gateway server 130. The gateway server 130 may communicate with the MM110, SMM 120, main MC region 140, access server 160, DHCP server 170, and NM server 180 and manage communications between the MM110, SMM 120, main MC region 140, access server 160, DHCP server 170, and NM server 180. Gateway server 130 may control the flow of data between these computing devices over respective communication links 8. The gateway server 130 may operate at any of the seven layers of the OSI model (shown in figure 3). Gateway server 130 may include a firewall.
The primary MC area 140 may operate as a centralized service gateway that may be extended to handle a large number of authentication and roaming events, including authentication of the AP155 in the AP area 150. The MC145 can authenticate the AP request with the AAA server in the PEC system 100, respond with authorization information, and establish an Internet Security protocol (IPsec) tunnel or a Virtual Private Network (VPN). Each MC145 may act as a serving gateway or VPN termination point. The primary MC area 140 may also perform stateful firewall policy monitoring and enforcement. MC145 may include, but is not limited in any way to, for example, ARUBATM7200 series of mobile controllers.
The primary MC area 140 may support multiple tunnels to the MC145, which may act as a serving gateway. The primary MC area 140 can include a physical or logical sub-network that contains the PEC system's externally facing services to the internet and/or the AP area 150. The primary MC area 140 can include one or more primary tunnels to support communication between the PEC communication devices 11 and the PEC system 100. The primary MC area 140 may include one or more secondary tunnels to support communication between the non-PEC communication devices 11A and one or more ISPs 200 (shown in fig. 5). The secondary tunnels may be connected to one or more MC 245 at ISP200 through a firewall in a secure and controlled manner to meet the security and policy requirements of PEC system 100.
The main MZ zone 140, which may include a firewall and a DMZ, may communicate with the AP zone 150 via one or more tunnels over the communication link 80. The tunnels may include one or more primary tunnels and/or one or more secondary tunnels. The tunnel may comprise a Generic Routing Encapsulation (GRE) operator SSID tunnel or an adaptation tunnel. The primary MC area 140 may include one or more IPsec connections across the communication link 80 between the MC145 and the AP area 150 to establish one or more tunnels. The primary MC area 140 may tunnel select traffic between the AP155 and the MC145 in the AP area 150 over one or more communication links 80. For example, the MC145 can include an IPsec connection with the AP155 and create GRE tunnels and/or employ tunnels between the devices to securely carry data packets associated with the broadcasted ISP SSID between the non-PEC communication device 11A and the ISP200 (shown in fig. 5). The MC145 and the AP155 can facilitate the transmission of data packets over the communication link 80, carrying the data packets between the non-PEC communication devices 11A and the ISP200 without any processing (e.g., parsing) of any of the data packets. The data packets can be encrypted with an encryption scheme that is not decryptable by the PEC system 100.
The mobile controller area, including the primary MC area 140, can integrate the MC 245 from the ISP200 (as shown in fig. 5) to extend the ISP SSID of a particular ISP200 to the PEC system 100. Network traffic can be routed to the ISP200 via the PEC system 100 infrastructure. The PEC system 100 can be a medium that extends Wi-Fi hotspots of the ISP200 to the AP155 of the PEC system 100 to reach a new area. The PEC system 100 can reduce its internet bandwidth requirements by offloading internet traffic to the ISP200, and the ISP200 can reach the new non-PEC communication device 11A at the new location through the AP155 on the PEC system 100, which AP155 broadcasts the ISP SSID associated with the ISP 200.
The AP155 may be communicatively coupled to the MC145 via a communication link 80. The AP155 may be communicatively coupled to one or more ISPs 200 via ISP connection links and communication links 81. The AP155 can include networking hardware, firmware, or software devices that can communicate with one or more of the PEC communication devices 11 or the non-PEC communication devices 11A over one or more communication links. The AP155 may be configured or controlled to broadcast a PEC SSID or an ISP SSID. The AP155 may broadcast more than one ISP SSID, where each ISP SSID is unique to a particular ISP200 (as shown in fig. 5). The broadcast PEC SSID can be hidden from detection by the non-PEC communication devices 11A. The AP155 may allow communication devices 11 to connect to the PEC system 100 or allow non-PEC communication devices 11A to connect to the ISP200 via ISP connection links and communication links 81 (as shown in fig. 5).
The DHCP server 170 can include a network server that implements a Dynamic Host Configuration Protocol (DHCP) to automatically generate and dynamically allocate IP addresses, default gateways, and other network parameters to computing devices in the PEC system 100, such as computing devices that need to communicate with other IP networks. DHCP server 170 may receive and process IP address requests. The DHCP server 170 can manage UDP and IP settings for computing devices on the PEC system 100.
The DHCP server 170 can include a Domain Name System (DNS) for computing devices, services, and other resources connected to the PEC system 100. DHCP server 170 may translate the more readily discernable domain names into digital IP addresses needed to locate and identify services and computing devices having underlying network protocols.
The NM server 180 can include a network management platform that can perform real-time monitoring and visibility of local traffic and software applications in the PEC system 100, deep packet inspection to allow application and application class policies, connection analysis, wireless intrusion event detection and protection, and location and mapping of Wi-Fi coverage of the PEC system 100 and the underlying wired topology to provide an accurate and clear picture of which computing devices are on the PEC system 100 at any time. The Network Management platform may include, but is not limited in any way to, for example, an islands-in-the-canal wireless Network Management Solution (Aruba AIRWAVE Network Management Solution) provided by islands-in-the-canal Networks company (Aruba Networks company).
FIG. 5 shows an example of an ISP200 that can communicatively connect to a PEC system 100 with one or more additional ISPs 200 via a communication link 81. ISP200 may include gateway server 230, ISP MC data area 240, database 250, and DHCP server 270. Gateway server 230 may communicate with and manage communications between MC data area 240, database 250, DHCP server 270, and computing devices (not shown) on ISP200 or external to ISP200 via communication link 82. Gateway server 230 controls the flow of data between these computing devices through the respective communication links. The gateway server 230 may operate at any of the seven layers of the OSI model (shown in figure 3). Gateway server 230 may include a firewall. Gateway server 230 may include an AAA server (not shown) that may provide centralized authentication, authorization, and accounting management (AAA) for computing devices (including non-PEC communication devices 11A) connecting to and using ISP 200.
FIG. 6 shows an example of a communication process 300 for connecting a non-PEC communication device 11A (shown in FIG. 4) to an ISP200 (shown in FIG. 5) through a PEC system 100 (shown in FIG. 4).
Referring to fig. 4 through 6, a Wireless Access Point (WAP) signal may be received from a given AP155 (step 305). It may be determined (e.g., based on WAP signals from a given AP 155) whether the AP155 is a pre-assigned AP (step 310). If it is determined that the AP155 is not a pre-allocated AP ("NO" of step 310), it can be determined whether the AP155 is a new AP and the IP address request received from the AP155 can be communicated to the DHCP server 170 in the PEC system 100 (step 315). The DHCP server 170 may use DNS to resolve the primary IP address and assign an IP address to the AP155 (step 320). It may be checked whether the AP155 is running the same image (image) as the associated MC145 (step 325). If it is determined that the AP155 is not running an image, or is running an image that is different from the associated MC145 ("NO" of step 325), the image corresponding to the associated MC145 may be downloaded to the AP155 using, for example, File transfer protocol (FTP, via TCP Port 21), simple FTP (TFTP, via UDP Port 69), etc. (step 330), and the AP155 may be restarted (step 335). Communication between the AP155 and the MM110 or MC145 may be facilitated by the DHCP (and DNS) server 170, the PAPI protocol (via UDP port 8211), and control plane security (CPsec) (via UDP port 4500). If it is determined that AP155 is running the same image as the associated MC145 ("YES" of step 325), the AP may be restarted (step 335).
If it is determined that the AP155 is a pre-assigned AP ("YES" of step 310), it may be determined whether the AP155 is pre-assigned with a broadcast ISP SSID (step 340). The PEC system 100 can include two or more APs 155, or two or more areas of APs 155, where each AP155 (or area of APs 155) is dedicated to broadcasting a unique ISP SSID, each unique ISP SSID belonging to a particular ISP 200.
If it is determined that the AP155 is pre-assigned a broadcast PEC SSID (not an ISP SSID) (NO at step 340), the IP address request received from the AP155 can be communicated to the DHCP server 170 in the PEC system 100 (step 345). Communication between the AP155 and MC145 may be facilitated by DHCP (and DNS) server 170, CPsec (via UDP port 4500), SYSLOG (via UDP port 123), PAPI message heartbeat (via UDP port 8211) (8209), and GRE (protocol 47). The DHCP server 170 may use DNS to resolve the primary IP address and assign an IP address to the AP155 (step 350). A secure channel may be established to the AP155 (step 355), such as, for example, a secure PAPI protocol channel using UDP4500 (CPsec tunnel). After establishing the secure channel (step 355), a GRE tunnel can be established with the MC145 and a PEC SSID can be broadcast by the AP155 (step 360) and can then be accessed by the PEC communication device 11 to securely communicate with computing devices on the PEC system 100. The communication device 11 can be authenticated (step 365) by, for example, an AAA server (not shown) included in the gateway server 130 or the access server 160, and an IP address is assigned and forwarded to the communication device 11 (step 370), and data packets can be securely communicated between the communication device 11 and the computing devices on the PEC system 100.
If it is determined that AP155 is a pre-assigned AP (yes at step 310) and AP155 is pre-assigned to broadcast the ISP SSID (yes at step 340), a secure channel may be established between AP155 and associated MC 245 at ISP200 (step 375). Data transfer between AP155 and MC 245 can be facilitated through a firewall in PEC system 100 via control plane Security (CPsec), e.g., using UDP port 4500, GRE (using protocol 47). All multi-zone APs 155 broadcasting the ISP SSID of a particular ISP200 may reach MC 245 in that ISP 200. After establishing the secure channel (step 375), a GRE tunnel can be established with MC 245 at ISP200 and the ISP SSID of ISP200 can be broadcast by AP155 (step 380) and can then be accessed by one or more non-PEC communication devices 11A. If multiple APs 155 are pre-assigned to broadcast the ISP SSID in multiple locations or areas, a secure channel can be established between AP155 and MC 245 at ISP 200. The non-PEC communication device 11A can be authenticated (step 385) by, for example, an AAA server (not shown) included in the gateway server 230, and an IP address assigned and forwarded by the ISP AAA server to the non-PEC communication device 11A (step 390), and the data packets can be securely communicated over a GRE tunnel between the non-PEC communication device 11A and the MC 245 in the ISP200 (step 395).
Process 300 can integrate MC 245 of ISP200 into MC145 in PEC system 100, thereby extending the ISP SSID of a particular ISP200 to PEC system 100 and securely tunneling data transmissions and managing traffic flow between non-PEC communication devices 11A and ISP200 through PEC system 100 infrastructure. Thus, the PEC system 110 can extend the service provider public hotspots of the ISP200 to reach new areas.
Each of the communication devices 11, 11A may include a network interface (not shown). The communication devices 11, 11A may use transport layer protocols such as TCP or UDP and network layer protocols such as IP to transport and manage the communication of data packets to and from the communication devices. The transport layer may specify a source port number and a destination port number in a header of the data packet. The port number may comprise a two byte (or 16 bit) unsigned integer ranging from, for example, 0 to 65535. For example, port numbers 80 and 443 are typically associated with the internet, where port number 80 is associated with the world wide web ("WWW") and port number 443 is associated with the WWW, using secure sockets layer ("SSL"), respectively.
The network layer (OSI layer 5 as shown in fig. 3) may include a four (4) byte IP address (IPv4) or a six (6) byte IP address (IPv6) assigned to each network interface card (not shown) on each communication device 11, 11A. This may be done automatically, for example, by the DHCP server 170 in the PEC system 100 serving the communication device 11 or the DHCP server 270 in the ISP200 serving the communication device 11A. The IP address can then be used to locate and connect the communication device 11 to the PEC system 100 and to locate and connect the communication device 11A to the ISP 200.
During communication on the PEC system 100 or ISP200, the communication device 11, 11A can implement a binding process that associates the input/output channel of the communication device with a transport protocol, a port number, and an IP address through an internet socket, which can include a type of file descriptor. The binding process may enable the communication devices 11, 11a to transmit and receive data packets through the PEC system 100 or ISP 200. The task of the operating system networking software in the communication devices 11, 11A may be to send outgoing data from all application ports onto the PEC system 100 or ISP200 and forward arriving network data packets to processing by matching IP addresses and port numbers resolved from the headers of incoming data packets. Individual processes in the communication devices 11, 11A may be bound to a particular IP address and port combination using the same transport protocol.
The IP address assigned to each communication device 11, 11A may be used as a unique identifier for a network interface (not shown) at the network layer. When the network interface is connected to the PEC system 100 or ISP200, the IP address can be used to locate and establish a communication session with the associated communication device 11, 11A. The IP address may include a network prefix number, a host number, and a subnet number. The network prefix number can be provided to the communication device 11 by the PEC system 100 and to the communication device 11A by the associated ISP200 providing service to the communication device 11A.
A non-transitory computer-readable medium can be provided that contains a computer program that, when executed on one or more computing devices in the PEC system 100 or ISP200, causes the process 300 in fig. 6 to be performed. A computer program can be tangibly embodied in a computer-readable medium, comprising one or more program instructions, code segments, or code portions, for performing each of steps 305 to 395 when executed by one or more computing devices in the PEC system 100 or ISP 200. When executed by the PEC system 100 or ISP200, the process 300 can securely extend the ISP's 200 public Wi-Fi hotspots to one or more APs 155 on the PEC system 100 through the ISP MC data region 240 (e.g., through the MC 245 integrated into the master MC region 140). The AP155 can provide primary (or enterprise-specific) GRE tunnels in the PEC system 100, as well as auxiliary GRE tunnels that connect to the ISP200 through firewalls in the DMZ in the primary MC area 140 in a secure and controlled manner to meet the requirements and policies of the PEC system 100 and ISP 200.
FIG. 7 shows an example of a connection flow between a communication device 11 and a Local Area Network (LAN) (PEC LAN) in the PEC system 100. Referring to fig. 4 and 7, the AP155 can broadcast the PEC SSID of the PEC system 100 that can be detected by the communication device 11. The communication device 11, which has been configured to operate on the PEC system 100, can send an EAP authentication request, EAP AUTH, to the AP155 (step 410). The AP155 may tunnel EAP AUTH to the master MC region 140 (step 412), which the master MC region 140 may in turn forward EAP AUTH to, for example, a LAN in the PEC system 100 (step 414). The EAP, AUTH, may operate directly on a data link layer, such as, for example, Point-to-Point protocol (PPP) or IEEE802, without requiring IP. The EAP AUTH may be received by an AAA server in the PEC system 100, which may then authenticate the communication device 11 and respond with an authentication REPLY EAP REPLY (step 420). The EAP REPLY may be received and tunneled by the primary MC region 140 to the AP155 (step 422) and forwarded to the communication device 11 (step 424).
The communication device 11 may send an IP address request to the AP155 requesting assignment of an IP address and the network parameter DHCP REQ (step 430). The AP155 may tunnel the DHCP REQ to the primary MC area 140 (step 432), which in turn, the primary MC area 140 may forward the DHCP REQ to the DHCP server 170 in the PEC system 100 (step 434). The DHCP server 170 may assign an IP address and may send a response DHCP REPLY including the IP address and networking parameters to the primary MC region 140 (step 440). DHCP REPLY may be tunneled from the primary MC area 140 to the AP155 (step 442) and forwarded to the communication device 11 (step 444).
After being authenticated and receiving the IP address and networking parameters, the communication device 11 may send an Internet Control Message Protocol (ICMP) request ICMP REQ to the AP155 (step 450). The ICMP REQ may include, for example, operation information, error messages, or a ping such as an ICMP ECHO _ REQUEST data packet. The AP155 may tunnel the ICMP REQ to the master MC region 140 (step 452), which in turn, the master MC region 140 may forward the ICMP REQ to the access server 160 or network manager 180 in the PEC system 100 (step 454). The access server 160 or the network manager 180 may respond with ICMP REPLY to the primary MC region 140 (step 460). ICMP REPLY may include, for example, operation information responsive to ICMP ECHO _ REQUEST data packets, error messages, or ICMP ECHO _ REPLY packets. ICMP REPLY may be tunneled from the primary MC area 140 to the AP155 (step 462) and forwarded to the communication device 11 (step 464).
Fig. 8 shows an example of a connection flow between the non-PEC communication device 11A and a LAN (ISP data area LAN) in the IS P200. Referring to fig. 4, 5, and 7, the AP155 may broadcast the ISP SSID of the ISP200 that can be detected by the non-PEC communication device 11A. The non-PEC communication device 11A, which may be configured to operate with the ISP200, may send an EAP authentication request EAP AUTH to the AP155 (step 510). The AP155 may tunnel the EAP AUTH to the MC data region 240 in the ISP200 (step 512), which MC data region 240 may in turn forward the EAP AUTH to, for example, a LAN in the ISP200 (step 514). The EAP AUTH may be received by an AAA server in the ISP200, which may then authenticate the non-PEC communication device 11A and respond with an authentication REPLY EAP REPLY (step 520). The EAP REPLY may be received and tunneled by the MC data region 240 to the AP155 (step 522) and forwarded to the non-PEC communication device 11A (step 524).
Upon receiving the EAP REPLY (step 524), the non-PEC communication device 11A may send an IP address request to the AP155 requesting allocation of an IP address and a network parameter DHCP REQ (step 530). AP155 may tunnel the DHCP REQ to MC data region 240 (step 532), and MC data region 240 may in turn forward the DHCP REQ to DHCP server 370 in ISP200 (step 534). The DHCP server 270 may assign an IP address and may send a response DHCP REPLY including the IP address and networking parameters to the MC data region 240 (step 540). DHCP REPLY may be tunneled from the MC data area 240 to the AP155 (step 542) and forwarded to the non-PEC communication device 11A (step 544).
After being authenticated and receiving the IP address and the network parameters, the non-PEC communication device 11A may transmit an ICMP request (ICMP REQ) to the AP155 (step 550). The ICMP REQ may include, for example, operation information, error messages, or a ping such as an ICMP ECHO _ REQUEST data packet. AP155 may tunnel the ICMP REQ to MC data area 240 in ISP200 (step 552), and MC data area 240 may in turn forward the ICMP REQ to an access server or network manager in ISP200 (step 554). The access server or network manager may respond with ICMP REPLY to the MC data area 240 (step 560). ICMP REPLY may include, for example, operation information responsive to ICMP ECHO _ REQUEST data packets, error messages, or ICMP ECHO _ REPLY packets. ICMP REPLY may be tunneled from the MC data area 240 to the AP155 (step 562) and forwarded to the non-PEC communication device 11A (step 564).
A non-transitory computer-readable medium containing a computer program that, when executed on one or more computing devices in the PEC system 100 or ISP200, causes the connection streams shown in fig. 7 and 8 to be executed by the PEC system 100 and/or ISP200 can be provided. The computer program can be tangibly embodied in a computer-readable medium, comprising one or more program instructions, code segments, or code portions for performing each of steps 410-464 of fig. 7 and steps 510-564 of fig. 8 when executed by one or more computing devices in the PEC system 100 or ISP 200.
The terms "a", "an" and "the" as used in this disclosure mean "one or more" unless expressly specified otherwise.
The term "communication device" as used in this disclosure refers to any hardware, firmware, or software that can send or receive data packets, instruction signals, or data signals over a communication link. The hardware, firmware, or software may include, for example, but is not limited to, a telephone, a smart phone, a Personal Digital Assistant (PDA), a smart watch, a tablet, a computer, a Software Defined Radio (SDR), and so forth.
The term "communication link" as used in this disclosure refers to a wired and/or wireless medium that communicates data or information between at least two points. Wired or wireless media may include, for example, a metal conductor link, a Radio Frequency (RF) communication link, an Infrared (IR) communication link, an optical communication link, and so forth, without limitation. The RF communication link may include, for example, Wi-Fi, WiMAX, IEEE 802.11, DECT, 0G, 1G, 2G, 3G, or 4G cellular standards, Bluetooth, etc., but is not limited thereto.
The term "computer" or "computing device" as used in this disclosure refers to any machine, device, circuit, component, or module capable of manipulating data in accordance with one or more instructions, or any system of machines, devices, circuits, components, modules or the like, such as for example but not limited to, a processor, microprocessor, central processing unit, general purpose computer, supercomputer, personal computer, laptop computer, palmtop computer, notebook computer, desktop computer, workstation computer, server farm, computer cloud, or the like, or an array of processors, microprocessors, computers, central processing units, general purpose computers, supercomputers, personal computers, laptop computers, palmtop computers, notebook computers, desktop computers, workstation computers, servers, and the like, but is not so limited.
The term "computer-readable medium" as used in this disclosure refers to any storage medium that participates in providing data (e.g., instructions) that may be read by a computer. Such a medium may take many forms, including non-volatile media and volatile media. Non-volatile media may include, for example, optical or magnetic disks and other persistent memory. Volatile media may include Dynamic Random Access Memory (DRAM). Common forms of computer-readable media include, for example, a floppy disk, a flexible disk, hard disk, magnetic tape, any other magnetic medium, a CD-ROM, DVD, any other optical medium, punch cards, paper tape, any other physical medium with patterns of holes, a RAM, a PROM, an EPROM, a FLASH-EEPROM, any other memory chip or cartridge, a carrier wave as described hereinafter, or any other medium from which a computer can read. The computer-readable medium may comprise a "cloud" comprising a file distribution across multiple (e.g., thousands) of memory caches on multiple (e.g., thousands) of computers.
Various forms of computer readable media may be involved in carrying a sequence of instructions to a computer. For example, the sequences of instructions may be (i) delivered to the processor from RAM, (ii) carried over a wireless transmission medium, and/or (iii) formatted according to any number of formats, standards, or protocols, including, for example, Wi-Fi, WiMAX, IEEE 802.11, DECT, 0G, 1G, 2G, 3G, 4G, or 5G cellular standards, bluetooth, etc.
The term "transmission" as used in this disclosure refers to the transmission of signals via electrical, acoustic, light, and other electromagnetic emissions, such as those generated in conjunction with communications in the Radio Frequency (RF) or Infrared (IR) spectrum. Transmission media for such transmission may include coaxial cables, copper wire and fiber optics, including the wires that comprise a system bus coupled to the processor.
The term "database" as used in this disclosure refers to any combination of software and/or hardware, including at least one application and/or at least one computer. The database may include a structured collection of records or data organized according to a database model, such as, for example, but not limited to, at least one of a relational model, a hierarchical model, a network model, and the like. The database may include a database management system application (DBMS) as is known in the art. The at least one application may include, but is not limited to, an application that may accept a connection to service a request from a client, for example, by sending a response back to the client. The database may be configured to run at least one application for an extended period of time, typically under heavy workload, unattended with minimal human guidance.
As used in this disclosure, the terms "comprising," "including," and variations thereof mean "including, but not limited to," unless expressly specified otherwise.
The term "network" as used in this disclosure refers to, for example, but is not limited to, at least one of a Local Area Network (LAN), a Wide Area Network (WAN), a Metropolitan Area Network (MAN), a Personal Area Network (PAN), a campus area network, an enterprise area network, a Global Area Network (GAN), a Broadband Area Network (BAN), a cellular network, the internet, or the like, or any combination of the preceding, any of which may be configured to communicate data via a wireless and/or wireline communication medium. These networks may run various protocols and are not limited to TCP/IP, IRC, or HTTP.
The term "server" as used in this disclosure refers to any combination of software and/or hardware, including at least one application and/or at least one computer, to perform services for connected clients as part of a client-server architecture. The at least one server application may include, but is not limited to, an application that may accept a connection to service a request from a client, for example, by sending a response back to the client. The server may be configured to run at least one application for an extended period of time, typically under heavy workload, unattended with minimal human guidance. A server may include a plurality of computers configured with at least one application that is divided among the computers according to workload. For example, at least one application may run on a single computer under light load. However, under heavy loads, multiple computers may be required to run at least one application. The server or any of its computers may also be used as a workstation.
Devices that are in communication with each other need not be in continuous communication with each other, unless expressly specified otherwise. In addition, devices that are in communication with each other may communicate directly or indirectly through one or more intermediaries.
Although process steps, method steps, algorithms or the like may be described in a sequential order, such processes, methods and algorithms may be configured to work in alternate orders. In other words, any order or sequence of steps that may be described does not necessarily indicate a requirement that the steps be performed in that order. The steps of a process, method, or algorithm described herein may be performed in any practical order. Furthermore, some steps may be performed simultaneously.
When a single apparatus or article is described herein, it will be readily apparent that more than one apparatus or article may be used in place of a single device or article. Similarly, where more than one device or article is described herein, it will be readily apparent that a single device or article may be used in place of the more than one device or article. The functionality or the features of a device may be alternatively embodied by one or more other devices which are not explicitly described as having such functionality or features.
While the disclosure has been described in terms of exemplary embodiments, those skilled in the art will recognize that the disclosure can be practiced with modification within the spirit and scope of the appended claims. These examples are merely illustrative and are not meant to be an exhaustive list of all possible designs, embodiments, applications or modifications of the disclosure.
Claims (20)
1. An enterprise network system for extending a public Wi-Fi hotspot of an internet service provider network to a non-enterprise communication device, the enterprise network system comprising:
a local area network comprising a firewall;
an access point area broadcasting a service set identifier (PEC SSID) of the enterprise network system and a service set identifier (ISP SSID) of the Internet service provider network; and
a mobile controller area that tunnels data packets between the access point area and the Internet service provider network to securely transmit data packets between the Internet service provider network and the non-enterprise computing device,
wherein the mobile controller area tunnels data packets from the access point area to provide secure transmission of data packets to and from enterprise computing devices.
2. The enterprise network system as claimed in claim 1, wherein said mobile controller area tunnels data packets through said firewall to said internet service provider network.
3. The enterprise network system of claim 1, wherein the access point region comprises:
an access point that broadcasts the service set identifier (PEC SSID) of the enterprise network system and communicates with the enterprise communication device, transmitting data packets to and from the enterprise communication device.
4. The enterprise network system of claim 1, wherein the access point region comprises:
an access point broadcasting the service set identifier (ISP SSID) of the Internet service provider network and communicating with the non-enterprise communication device, transmitting data packets to and from the non-enterprise communication device.
5. The enterprise network system of claim 1, wherein the access point region comprises:
a first access point broadcasting the service set identifier (PEC SSID) of the enterprise network system and communicating with the enterprise communication device, transmitting data packets to and from the enterprise communication device; and
a second access point broadcasting the service set identifier (ISP SSID) of the Internet service provider network and communicating with the non-enterprise communication device, transmitting data packets to and from the non-enterprise communication device.
6. The enterprise network system as claimed in claim 1, wherein the mobile controller area includes a mobile controller located in the internet service provider network and integrated therein.
7. The enterprise network system of claim 6, wherein the mobile controller area comprises another mobile controller.
8. The enterprise network system of claim 7, wherein the another mobile controller tunnels data packets to another internet service provider network.
9. The enterprise network system of claim 8, wherein the another mobile controller is located in the another internet service provider network.
10. The enterprise network system of claim 5, wherein the access point region comprises:
a third access point broadcasting a service set identifier (ISP2SSID) of another Internet service provider network and communicating with another non-enterprise communication device, transmitting data packets to and from the other non-enterprise communication device,
wherein a service set identifier (ISP SSID) of the Internet service provider network is different from a service set identifier (ISP2SSID) of the other Internet service provider network.
11. The enterprise network system as claimed in claim 1, wherein the mobile controller area tunnels data packets to provide secure transmission of data packets between the enterprise computing device and the local area network.
12. A method for extending a public Wi-Fi hotspot of an internet service provider network to an enterprise network system and securely transmitting data packets between a non-enterprise communication device and the internet service provider via a quarantine partition in the enterprise network system, the method comprising:
broadcasting a service set identifier (PEC SSID) of the enterprise network system;
broadcasting a service set identifier (ISP SSID) of the Internet service provider network;
tunneling data packets between an access point area in the enterprise network system and a mobile controller in the internet service provider network to securely transmit data packets between the internet service provider network and a non-enterprise computing device; and
tunneling data packets between the access point area and a mobile controller in the enterprise network system to securely transmit data packets between a local area network in the enterprise network system and an enterprise computing device.
13. The method of claim 12, wherein tunneling the data packets between the access point area in the enterprise network system and the mobile controller in the internet service provider network comprises: tunneling the data packet through a firewall in a local area network in the enterprise network system to the internet service provider network.
14. The method of claim 12, wherein the access point area comprises an access point broadcasting the service set identifier (PEC SSID) of the enterprise network system, the method further comprising:
transmitting, by the access point and another mobile controller, data packets between the local area network and the enterprise communication device.
15. The method of claim 12, wherein the access point region comprises an access point broadcasting an service set identifier (ISP SSID) of the internet service provider network, the method further comprising:
transmitting, by the access point, data packets between the non-enterprise computing device and the mobile controller in the internet service provider network.
16. The method of claim 12, wherein the access point area comprises a first access point broadcasting the service set identifier (PEC SSID) of the enterprise network system and a second access point broadcasting the service set identifier (ISP SSID) of the internet service provider network, the method further comprising:
transmitting, by the first access point and the mobile controller in the enterprise network system, data packets between the local area network and the enterprise communication device; and
transmitting, by the access point, data packets between the non-enterprise computing device and the mobile controller in the internet service provider network.
17. The method of claim 12, further comprising:
receiving an authentication request from the non-enterprise communication device at the access point area; and
tunneling the authentication request from the access point region to the mobile controller in the Internet service provider network.
18. The method of claim 17, further comprising:
forwarding the authentication request from the mobile controller to an AAA server in the Internet service provider network; and
receiving an authentication reply from the AAA server at the mobile controller in the Internet service provider network.
19. The method of claim 18, further comprising:
tunneling the authentication reply from the mobile controller to the access point area for forwarding to the non-enterprise communication device.
20. A non-transitory computer-readable medium having a plurality of code segments of a computer program that, when executed by a computing device, extend a public Wi-Fi hotspot of an internet service provider network to an enterprise network system and securely transmit data packets between a non-enterprise communication device and the internet service provider via a quarantine partition in the enterprise network system, the computer-readable medium comprising:
a PEC SSID broadcast code segment that, when executed by the computing device, controls an access point to broadcast a service set identifier (PEC SSID) of the enterprise network system;
an ISP SSID broadcast code segment that, when executed by the computing device, controls another access point to broadcast a service set identifier (ISP SSID) of the Internet service provider network;
an ISP tunneling code segment that, when executed by the computing device, creates a secure channel and tunnels data packets between the other access point and a mobile controller in the Internet service provider network to securely transmit data packets between the Internet service provider network and a non-enterprise computing device; and
a PEC tunneling code segment that, when executed by the computing device, creates a secure channel and tunnels data packets between the access point and a mobile controller in the enterprise network system to securely transfer data packets between a local area network in the enterprise network system and an enterprise computing device.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US16/166,768 | 2018-10-22 | ||
| US16/166,768 US10911411B2 (en) | 2018-10-22 | 2018-10-22 | Extending public WiFi hotspot to private enterprise network |
| PCT/US2019/057443 WO2020086584A1 (en) | 2018-10-22 | 2019-10-22 | Extending public wifi hotspot to private enterprise network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112889255A true CN112889255A (en) | 2021-06-01 |
Family
ID=68542794
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201980069933.7A Pending CN112889255A (en) | 2018-10-22 | 2019-10-22 | Extending public WIFI hotspots to private enterprise networks |
Country Status (4)
| Country | Link |
|---|---|
| US (1) | US10911411B2 (en) |
| EP (1) | EP3871391A1 (en) |
| CN (1) | CN112889255A (en) |
| WO (1) | WO2020086584A1 (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11496902B2 (en) * | 2017-09-29 | 2022-11-08 | Plume Design, Inc. | Access to Wi-Fi networks via two-step and two-party control |
| US11032743B1 (en) * | 2019-11-30 | 2021-06-08 | Charter Communications Operating, Llc | Methods and apparatus for supporting devices of different types using a residential gateway |
| US20220330024A1 (en) * | 2021-04-09 | 2022-10-13 | Saudi Arabian Oil Company | Third party remote access point on enterprise network |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100182983A1 (en) * | 2009-01-22 | 2010-07-22 | Belair Networks Inc. | System and method for providing wireless local area networks as a service |
| CN102612116A (en) * | 2011-01-21 | 2012-07-25 | 捷讯研究有限公司 | Methods and apparatus for use in controlling an access point mode of operation for a mobile terminal |
| DE102015005387A1 (en) * | 2015-04-28 | 2016-11-03 | Walter Keller | Method, communication terminal, router device, server device, Internet access and computer program for establishing and carrying out communication links between at least one terminal and the Internet |
| CN106657000A (en) * | 2016-11-10 | 2017-05-10 | 深圳惠众联合科技有限责任公司 | WLAN internal and external network access framework |
| CN107040929A (en) * | 2015-12-03 | 2017-08-11 | 黑莓有限公司 | For enabling the equipment, method and system that multiple Wireless Telecom Equipments communicate via secure connection with trusted network |
| CN107251614A (en) * | 2015-02-20 | 2017-10-13 | 高通股份有限公司 | Access point is turned to |
| US20170347269A1 (en) * | 2016-05-31 | 2017-11-30 | At&T Intellectual Property I, L.P. | Wi-fi virtualized network operator |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5610910A (en) | 1995-08-17 | 1997-03-11 | Northern Telecom Limited | Access to telecommunications networks in multi-service environment |
| US6571221B1 (en) | 1999-11-03 | 2003-05-27 | Wayport, Inc. | Network communication service with an improved subscriber model using digital certificates |
| US8041824B1 (en) | 2005-04-14 | 2011-10-18 | Strauss Acquisitions, L.L.C. | System, device, method and software for providing a visitor access to a public network |
| WO2014165832A1 (en) * | 2013-04-04 | 2014-10-09 | Interdigital Patent Holdings, Inc. | Methods for 3gpp wlan interworking for improved wlan usage through offload |
| US9629060B2 (en) | 2014-06-06 | 2017-04-18 | Oracle International Corporation | Flexible routing policy for Wi-Fi offloaded cellular data |
| US10542462B2 (en) * | 2014-07-14 | 2020-01-21 | Convida Wireless, Llc | Inter-system handover and multi-connectivity via an integrated small cell and WiFi gateway |
| US9992705B2 (en) | 2015-10-16 | 2018-06-05 | Cisco Technology, Inc. | Wi-Fi calling quality of service on trusted WLAN networks |
| US20170230871A1 (en) * | 2016-02-04 | 2017-08-10 | Sooktha Consulting Private Limited | Cellular Wireless Access Data Offload System |
| CN110268733B (en) | 2016-12-30 | 2022-05-10 | 英国电讯有限公司 | Automatically pairing devices to a wireless network |
-
2018
- 2018-10-22 US US16/166,768 patent/US10911411B2/en active Active
-
2019
- 2019-10-22 EP EP19802394.7A patent/EP3871391A1/en not_active Withdrawn
- 2019-10-22 WO PCT/US2019/057443 patent/WO2020086584A1/en unknown
- 2019-10-22 CN CN201980069933.7A patent/CN112889255A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100182983A1 (en) * | 2009-01-22 | 2010-07-22 | Belair Networks Inc. | System and method for providing wireless local area networks as a service |
| CN102612116A (en) * | 2011-01-21 | 2012-07-25 | 捷讯研究有限公司 | Methods and apparatus for use in controlling an access point mode of operation for a mobile terminal |
| CN107251614A (en) * | 2015-02-20 | 2017-10-13 | 高通股份有限公司 | Access point is turned to |
| DE102015005387A1 (en) * | 2015-04-28 | 2016-11-03 | Walter Keller | Method, communication terminal, router device, server device, Internet access and computer program for establishing and carrying out communication links between at least one terminal and the Internet |
| CN107040929A (en) * | 2015-12-03 | 2017-08-11 | 黑莓有限公司 | For enabling the equipment, method and system that multiple Wireless Telecom Equipments communicate via secure connection with trusted network |
| US20170347269A1 (en) * | 2016-05-31 | 2017-11-30 | At&T Intellectual Property I, L.P. | Wi-fi virtualized network operator |
| CN106657000A (en) * | 2016-11-10 | 2017-05-10 | 深圳惠众联合科技有限责任公司 | WLAN internal and external network access framework |
Non-Patent Citations (1)
| Title |
|---|
| 于劭俊: "基于WiFi技术构建城域无线网络", 《中国有线电视》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| US10911411B2 (en) | 2021-02-02 |
| US20200127972A1 (en) | 2020-04-23 |
| EP3871391A1 (en) | 2021-09-01 |
| WO2020086584A1 (en) | 2020-04-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10009230B1 (en) | System and method of traffic inspection and stateful connection forwarding among geographically dispersed network appliances organized as clusters | |
| US9730269B2 (en) | Method and system for partitioning wireless local area network | |
| US9787632B2 (en) | Centralized configuration with dynamic distributed address management | |
| CN113812126B (en) | Message transmission method, device and system, and readable storage medium | |
| US8036161B2 (en) | Wireless switch with virtual wireless switch modules | |
| US7035281B1 (en) | Wireless provisioning device | |
| US7685295B2 (en) | Wireless local area communication network system and method | |
| US20130182651A1 (en) | Virtual Private Network Client Internet Protocol Conflict Detection | |
| US20040213172A1 (en) | Anti-spoofing system and method | |
| US20140153577A1 (en) | Session-based forwarding | |
| EP3459318B1 (en) | Using wlan connectivity of a wireless device | |
| US20150006737A1 (en) | Method, apparatus, and system for providing network traversing service | |
| US8611358B2 (en) | Mobile network traffic management | |
| CN112889255A (en) | Extending public WIFI hotspots to private enterprise networks | |
| CN109450905B (en) | Method, device and system for transmitting data | |
| CN111756565B (en) | Managing satellite devices within a branched network | |
| Kärkkäinen et al. | Enabling ad-hoc-style communication in public wlan hot-spots | |
| CN112654049A (en) | Method for configuring wireless communication coverage extension system and wireless communication coverage extension system for implementing same | |
| US9130896B2 (en) | Distributed functionality across multiple network devices | |
| EP4049427B1 (en) | Distribution of stateless security functions | |
| US20230336377A1 (en) | Packet forwarding method and apparatus, and network system | |
| US20210119859A1 (en) | Topology Agnostic Security Services | |
| US9231862B2 (en) | Selective service based virtual local area network flooding | |
| US11811556B2 (en) | Methods and systems for network traffic management |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20210601 |